Summary ======= This article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information. The result can be recognized by conventional OCR programs thereby defeating the captcha. Details ======= The detailed article (including sample images) is online here: http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/ Countermeasurements =================== Website developers can easily defend against this attack by not allowing the extraction of a series of different captcha images with same content. Instead, the image should change only when the text content changes. Captcha designers can defend agaist averaging attacks by not using noise-like distortions. For example, moving and rotaing individual letters by a large enough distance/angle will spoil averaging by reducing the contrast in averaged images. Contact: wwieser (at) gmx -dot- de PLEASE do not CC me when posting to the list; I am subscribed.
